Or I could build one that does:
- use IPFilter's rdr NAT rules to send all incoming TCP connections
to a single socket;
- write a daemon that listens to that single socket and makes the
outbound connection, faithfully copying data in both directions.
= voila! Non-routing based proxy firewall that allows through all
TCP connections. UDP is a bit more tricky but nonetheless doable.
>And all the "proxy by design but packet filters as an addon" products,
>I have seen so far, ship with only proxy rules enabled in their
>default configuration.
>
>So they are less convenient for a certain class of users and some
>applications "do not work" out of the box. Which is the point of
>the firewall. Which is a point a certain class of users does not get.
>
>

So what you're really comparing is the default configuration
of packet based firewalls with proxy based firewalls.